[selinux-policy/f16] - Allow insmod_t to use fds leaked from devicekit - dontaudit getattr between insmod_t and init_t un
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Aug 24 08:22:16 UTC 2011
commit ff6f661db9707fb2ef46222ab01dcd8e516213b3
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Aug 24 10:21:48 2011 +0200
- Allow insmod_t to use fds leaked from devicekit
- dontaudit getattr between insmod_t and init_t unix_stream_sockets
- Change sysctl unit file interfaces to use systemctl
- Add support for chronyd unit file
- Allow mozilla_plugin to read gnome_usr_config
- Add policy for new gpsd
- Allow cups to create kerberos rhost cache files
- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
policy-F16.patch | 457 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 12 ++-
2 files changed, 356 insertions(+), 113 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index d69b112..207bd6d 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2572,15 +2572,16 @@ index 95bce88..1a53b7b 100644
optional_policy(`
hostname_exec(shorewall_t)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
-index d0604cf..15311b4 100644
+index d0604cf..95c53c5 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
-@@ -18,9 +18,12 @@ interface(`shutdown_domtrans',`
+@@ -18,9 +18,13 @@ interface(`shutdown_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+ optional_policy(`
+ systemd_exec_systemctl($1)
++ init_stream_connect($1)
+ ')
+
ifdef(`hide_broken_symptoms', `
@@ -2590,7 +2591,7 @@ index d0604cf..15311b4 100644
')
')
-@@ -51,6 +54,73 @@ interface(`shutdown_run',`
+@@ -51,6 +55,73 @@ interface(`shutdown_run',`
########################################
## <summary>
@@ -6950,7 +6951,7 @@ index fbb5c5a..83fc139 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..d4c78ac 100644
+index 2e9318b..68929b9 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -7097,7 +7098,7 @@ index 2e9318b..d4c78ac 100644
tunable_policy(`allow_execmem',`
allow mozilla_plugin_t self:process { execmem execstack };
-@@ -425,6 +445,11 @@ optional_policy(`
+@@ -425,7 +445,13 @@ optional_policy(`
')
optional_policy(`
@@ -7107,9 +7108,11 @@ index 2e9318b..d4c78ac 100644
+
+optional_policy(`
gnome_manage_config(mozilla_plugin_t)
++ gnome_read_usr_config(mozilla_plugin_t)
')
-@@ -438,7 +463,14 @@ optional_policy(`
+ optional_policy(`
+@@ -438,7 +464,14 @@ optional_policy(`
')
optional_policy(`
@@ -7125,7 +7128,7 @@ index 2e9318b..d4c78ac 100644
')
optional_policy(`
-@@ -446,10 +478,27 @@ optional_policy(`
+@@ -446,10 +479,27 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -10691,7 +10694,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..51756fc 100644
+index 3fae11a..f8f940f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -10850,18 +10853,19 @@ index 3fae11a..51756fc 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -293,8 +298,9 @@ ifdef(`distro_gentoo',`
+@@ -293,8 +298,10 @@ ifdef(`distro_gentoo',`
/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0)
++/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -307,9 +313,8 @@ ifdef(`distro_redhat', `
+@@ -307,9 +314,8 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10872,7 +10876,7 @@ index 3fae11a..51756fc 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +324,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +325,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10884,7 +10888,7 @@ index 3fae11a..51756fc 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +370,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +371,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -10893,7 +10897,7 @@ index 3fae11a..51756fc 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +382,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +383,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10904,7 +10908,7 @@ index 3fae11a..51756fc 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +393,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +394,4 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -19658,10 +19662,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..f88b087
+index 0000000..a55926b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,533 @@
+@@ -0,0 +1,531 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -19754,6 +19758,8 @@ index 0000000..f88b087
+storage_filetrans_all_named_dev(unconfined_t)
+term_filetrans_all_named_dev(unconfined_t)
+
++authlogin_filetrans_named_content(unconfined_t)
++
+sysnet_etc_filetrans_config(unconfined_t, "resolv.conf")
+sysnet_etc_filetrans_config(unconfined_t, "denyhosts")
+sysnet_etc_filetrans_config(unconfined_t, "hosts")
@@ -19925,10 +19931,6 @@ index 0000000..f88b087
+')
+
+optional_policy(`
-+ cron_unconfined_role(unconfined_r, unconfined_t)
-+')
-+
-+optional_policy(`
+ chrome_role_notrans(unconfined_r, unconfined_usertype)
+
+ tunable_policy(`unconfined_chrome_sandbox_transition',`
@@ -25891,8 +25893,25 @@ index dad226c..7617c53 100644
logging_send_syslog_msg(cgred_t)
miscfiles_read_localization(cgred_t)
+diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
+index fd8cd0b..46678a2 100644
+--- a/policy/modules/services/chronyd.fc
++++ b/policy/modules/services/chronyd.fc
+@@ -2,8 +2,12 @@
+
+ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
++/lib/systemd/system/chonyd\.service -- gen_context(system_u:object_r:chronyd_unit_t,s0)
++
+ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+ /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+ /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
+ /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
++/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..2ede737 100644
+index 9a0da94..f599a70 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -25920,7 +25939,7 @@ index 9a0da94..2ede737 100644
####################################
## <summary>
## Execute chronyd
-@@ -56,6 +74,64 @@ interface(`chronyd_read_log',`
+@@ -56,6 +74,103 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
@@ -25982,10 +26001,49 @@ index 9a0da94..2ede737 100644
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
++########################################
++## <summary>
++## Execute chronyd server in the chronyd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`chronyd_systemctl',`
++ gen_require(`
++ type chronyd_unit_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 chronyd_unit_t:file read_file_perms;
++ allow $1 chronyd_unit_t:service all_service_perms;
++')
++
++########################################
++## <summary>
++## Connect to chronyd over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`chronyd_stream_connect',`
++ gen_require(`
++ type chronyd_t, chronyd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
++')
++
####################################
## <summary>
## All of the rules required to administrate
-@@ -75,9 +151,9 @@ interface(`chronyd_read_log',`
+@@ -75,9 +190,9 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -25998,7 +26056,7 @@ index 9a0da94..2ede737 100644
')
allow $1 chronyd_t:process { ptrace signal_perms };
-@@ -88,18 +164,17 @@ interface(`chronyd_admin',`
+@@ -88,18 +203,19 @@ interface(`chronyd_admin',`
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
@@ -26021,22 +26079,27 @@ index 9a0da94..2ede737 100644
- files_search_tmp($1)
- admin_pattern($1, chronyd_tmp_t)
+ admin_pattern($1, chronyd_tmpfs_t)
++
++ chronyd_sysemctl($1)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..db20d26 100644
+index fa82327..4b32348 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
-@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
+@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
type chronyd_keys_t;
files_type(chronyd_keys_t)
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
++type chronyd_unit_t;
++systemd_unit_file(chronyd_unit_t)
++
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -34,9 +37,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
+@@ -34,9 +40,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
allow chronyd_t self:shm create_shm_perms;
allow chronyd_t self:udp_socket create_socket_perms;
allow chronyd_t self:unix_dgram_socket create_socket_perms;
@@ -26051,9 +26114,13 @@ index fa82327..db20d26 100644
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -50,6 +58,11 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+@@ -48,8 +59,14 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+
+ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
- files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+-files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
++manage_sock_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
++files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+kernel_read_system_state(chronyd_t)
+
@@ -26063,7 +26130,7 @@ index fa82327..db20d26 100644
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
-@@ -63,6 +76,8 @@ logging_send_syslog_msg(chronyd_t)
+@@ -63,6 +80,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
@@ -29108,7 +29175,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..a3a6265 100644
+index 0f28095..e6225d3 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -29183,7 +29250,15 @@ index 0f28095..a3a6265 100644
')
')
-@@ -315,6 +315,14 @@ optional_policy(`
+@@ -311,10 +311,22 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_manage_host_rcache(cupsd_t)
++')
++
++optional_policy(`
+ logrotate_domtrans(cupsd_t)
')
optional_policy(`
@@ -29198,7 +29273,7 @@ index 0f28095..a3a6265 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +379,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +383,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -29209,7 +29284,7 @@ index 0f28095..a3a6265 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +402,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +406,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -29220,7 +29295,7 @@ index 0f28095..a3a6265 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +438,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +442,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -29234,7 +29309,7 @@ index 0f28095..a3a6265 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +466,10 @@ optional_policy(`
+@@ -453,6 +470,10 @@ optional_policy(`
')
optional_policy(`
@@ -29245,7 +29320,7 @@ index 0f28095..a3a6265 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +484,10 @@ optional_policy(`
+@@ -467,6 +488,10 @@ optional_policy(`
')
optional_policy(`
@@ -29256,7 +29331,7 @@ index 0f28095..a3a6265 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +608,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +612,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -29276,7 +29351,7 @@ index 0f28095..a3a6265 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +631,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +635,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -29287,7 +29362,7 @@ index 0f28095..a3a6265 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +672,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -29296,7 +29371,7 @@ index 0f28095..a3a6265 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +718,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -29304,7 +29379,7 @@ index 0f28095..a3a6265 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -30278,7 +30353,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..0d4a2ea 100644
+index f706b99..13d3a35 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -30318,10 +30393,28 @@ index f706b99..0d4a2ea 100644
## Send to devicekit over a unix domain
## datagram socket.
## </summary>
-@@ -81,6 +99,27 @@ interface(`devicekit_dbus_chat_disk',`
+@@ -81,6 +99,45 @@ interface(`devicekit_dbus_chat_disk',`
########################################
## <summary>
++## Use file descriptors for devicekit_disk.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_use_fds_disk',`
++ gen_require(`
++ type devicekit_disk_t;
++ ')
++
++ allow $1 devicekit_disk_t:fd use;
++')
++
++########################################
++## <summary>
+## Dontaudit Send and receive messages from
+## devicekit disk over dbus.
+## </summary>
@@ -30346,7 +30439,7 @@ index f706b99..0d4a2ea 100644
## Send signal devicekit power
## </summary>
## <param name="domain">
-@@ -118,6 +157,62 @@ interface(`devicekit_dbus_chat_power',`
+@@ -118,6 +175,62 @@ interface(`devicekit_dbus_chat_power',`
allow devicekit_power_t $1:dbus send_msg;
')
@@ -30409,7 +30502,7 @@ index f706b99..0d4a2ea 100644
########################################
## <summary>
## Read devicekit PID files.
-@@ -139,22 +234,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +252,52 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -30469,7 +30562,7 @@ index f706b99..0d4a2ea 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +290,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +308,21 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -34638,7 +34731,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..a710ddc 100644
+index 4fde46b..983ab3e 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -9,24 +9,32 @@ type gnomeclock_t;
@@ -34677,10 +34770,14 @@ index 4fde46b..a710ddc 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,48 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +43,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
++ chronyd_systemctl(gnomeclock_t)
++')
++
++optional_policy(`
+ clock_domtrans(gnomeclock_t)
+')
+
@@ -34700,7 +34797,7 @@ index 4fde46b..a710ddc 100644
+ ntp_domtrans_ntpdate(gnomeclock_t)
+ ntp_initrc_domtrans(gnomeclock_t)
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
-+ ntp_sysctl(gnomeclock_t)
++ ntp_systemctl(gnomeclock_t)
+')
+
+optional_policy(`
@@ -34788,10 +34885,21 @@ index a627b34..c4cfc6d 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..c65263e 100644
+index 03742d8..6ba7c74 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
-@@ -43,9 +43,11 @@ corenet_all_recvfrom_netlabel(gpsd_t)
+@@ -24,8 +24,8 @@ files_pid_file(gpsd_var_run_t)
+ # gpsd local policy
+ #
+
+-allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
+-allow gpsd_t self:process setsched;
++allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
++allow gpsd_t self:process { setsched signal_perms };
+ allow gpsd_t self:shm create_shm_perms;
+ allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow gpsd_t self:tcp_socket create_stream_socket_perms;
+@@ -43,9 +43,13 @@ corenet_all_recvfrom_netlabel(gpsd_t)
corenet_tcp_sendrecv_generic_if(gpsd_t)
corenet_tcp_sendrecv_generic_node(gpsd_t)
corenet_tcp_sendrecv_all_ports(gpsd_t)
@@ -34801,14 +34909,17 @@ index 03742d8..c65263e 100644
+dev_read_sysfs(gpsd_t)
+
++domain_dontaudit_read_all_domains_state(gpsd_t)
++
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
-@@ -56,6 +58,10 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +60,11 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
+ chronyd_rw_shm(gpsd_t)
++ chronyd_stream_connect(gpsd_t)
+')
+
+optional_policy(`
@@ -41104,7 +41215,7 @@ index 15448d5..b6b42c1 100644
+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..3d2be3e 100644
+index abe3f7f..fe15a7d 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -41170,7 +41281,7 @@ index abe3f7f..3d2be3e 100644
+## </summary>
+## </param>
+#
-+interface(`nis_sysctl_ypbind',`
++interface(`nis_systemctl_ypbind',`
+ gen_require(`
+ type ypbind_unit_t;
+ ')
@@ -41190,7 +41301,7 @@ index abe3f7f..3d2be3e 100644
+## </summary>
+## </param>
+#
-+interface(`nis_sysctl',`
++interface(`nis_systemctl',`
+ gen_require(`
+ type nis_unit_t;
+ ')
@@ -41222,7 +41333,7 @@ index abe3f7f..3d2be3e 100644
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
-+ nis_sysctl_ypbind($1)
++ nis_systemctl_ypbind($1)
admin_pattern($1, yppasswdd_var_run_t)
@@ -41230,7 +41341,7 @@ index abe3f7f..3d2be3e 100644
admin_pattern($1, ypserv_tmp_t)
admin_pattern($1, ypserv_var_run_t)
-+ nis_sysctl($1)
++ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 4876cae..5f29ad9 100644
@@ -41545,7 +41656,7 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..766d99c 100644
+index e80f8c0..aaa2e79 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,45 @@ interface(`ntp_initrc_domtrans',`
@@ -41581,7 +41692,7 @@ index e80f8c0..766d99c 100644
+## </summary>
+## </param>
+#
-+interface(`ntp_sysctl',`
++interface(`ntp_systemctl',`
+ gen_require(`
+ type ntpd_unit_t;
+ ')
@@ -41639,7 +41750,7 @@ index e80f8c0..766d99c 100644
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
+
-+ ntp_sysctl($1)
++ ntp_systemctl($1)
')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index c61adc8..09bb140 100644
@@ -58731,7 +58842,7 @@ index 28ad538..5b765ce 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..0fe2836 100644
+index 73554ec..197fa07 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -59132,6 +59243,40 @@ index 73554ec..0fe2836 100644
')
########################################
+@@ -1659,3 +1796,33 @@ interface(`auth_unconfined',`
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+ ')
++
++########################################
++## <summary>
++## Transition to authlogin named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`authlogin_filetrans_named_content',`
++ gen_require(`
++ type shadow_t;
++ type faillog_t;
++ type wtmp_t;
++ ')
++
++ files_etc_filetrans($1, shadow_t, file, "shadow")
++ files_etc_filetrans($1, shadow_t, file, "shadow-")
++ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
++ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ files_var_filetrans($1, shadow_t, file, "shadow")
++ files_var_filetrans($1, shadow_t, file, "shadow-")
++ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
++ logging_log_named_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, faillog_t, file, "btmp")
++ files_pid_filetrans($1, faillog_t, file, "faillog")
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
++')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b7a5f00..a53db2b 100644
--- a/policy/modules/system/authlogin.te
@@ -59671,7 +59816,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..26c973e 100644
+index 94fd8dd..3e8f08e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -59767,17 +59912,17 @@ index 94fd8dd..26c973e 100644
typeattribute $2 direct_init_entry;
- userdom_dontaudit_use_user_terminals($1)
-+# userdom_dontaudit_use_user_terminals($1)
- ')
-
+- ')
+-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-- ')
--
++# userdom_dontaudit_use_user_terminals($1)
+ ')
+
- optional_policy(`
- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
@@ -59917,7 +60062,7 @@ index 94fd8dd..26c973e 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +589,48 @@ interface(`init_sigchld',`
+@@ -519,10 +589,66 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -59951,6 +60096,24 @@ index 94fd8dd..26c973e 100644
+
+######################################
+## <summary>
++## Dontaudit getattr to init with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_getattr_stream_socket',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:unix_stream_socket getattr;
++')
++
++######################################
++## <summary>
+## Dontaudit read and write to init with a unix socket.
+## </summary>
+## <param name="domain">
@@ -59968,7 +60131,7 @@ index 94fd8dd..26c973e 100644
')
########################################
-@@ -688,19 +796,25 @@ interface(`init_telinit',`
+@@ -688,19 +814,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -59995,7 +60158,7 @@ index 94fd8dd..26c973e 100644
')
')
-@@ -730,7 +844,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +862,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -60004,7 +60167,7 @@ index 94fd8dd..26c973e 100644
## </summary>
## </param>
#
-@@ -773,18 +887,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +905,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -60028,7 +60191,7 @@ index 94fd8dd..26c973e 100644
')
')
-@@ -800,19 +915,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +933,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -60051,11 +60214,11 @@ index 94fd8dd..26c973e 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -60068,13 +60231,17 @@ index 94fd8dd..26c973e 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +1005,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -60089,7 +60256,7 @@ index 94fd8dd..26c973e 100644
files_search_etc($1)
')
-@@ -1079,6 +1221,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1239,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -60114,7 +60281,7 @@ index 94fd8dd..26c973e 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1290,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1308,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -60128,7 +60295,7 @@ index 94fd8dd..26c973e 100644
')
########################################
-@@ -1375,6 +1530,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1548,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -60156,7 +60323,7 @@ index 94fd8dd..26c973e 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1637,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1655,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -60182,7 +60349,7 @@ index 94fd8dd..26c973e 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1714,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1732,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -60207,7 +60374,7 @@ index 94fd8dd..26c973e 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1586,6 +1799,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1817,24 @@ interface(`init_read_utmp',`
########################################
## <summary>
@@ -60232,7 +60399,7 @@ index 94fd8dd..26c973e 100644
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
-@@ -1674,7 +1905,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1923,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -60241,7 +60408,7 @@ index 94fd8dd..26c973e 100644
')
########################################
-@@ -1715,6 +1946,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1964,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -60370,7 +60537,7 @@ index 94fd8dd..26c973e 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2102,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2120,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -62667,10 +62834,74 @@ index 02f4c97..cd16709 100644
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..57064ad 100644
+index 831b909..efe1038 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
-@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
+@@ -491,6 +491,63 @@ interface(`logging_log_filetrans',`
+ filetrans_pattern($1, var_log_t, $2, $3)
+ ')
+
++#######################################
++## <summary>
++## Create an object in the log directory, with a private type.
++## </summary>
++## <desc>
++## <p>
++## Allow the specified domain to create an object
++## in the general system log directories (e.g., /var/log)
++## with a private type. Typically this is used for creating
++## private log files in /var/log with the private type instead
++## of the general system log type. To accomplish this goal,
++## either the program must be SELinux-aware, or use this interface.
++## </p>
++## <p>
++## Related interfaces:
++## </p>
++## <ul>
++## <li>logging_log_file()</li>
++## </ul>
++## <p>
++## Example usage with a domain that can create
++## and append to a private log file stored in the
++## general directories (e.g., /var/log):
++## </p>
++## <p>
++## type mylogfile_t;
++## logging_log_file(mylogfile_t)
++## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
++## logging_log_filetrans(mydomain_t, mylogfile_t, file)
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`logging_log_named_filetrans',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ files_search_var($1)
++ filetrans_pattern($1, var_log_t, $2, $3, $4)
++')
++
+ ########################################
+ ## <summary>
+ ## Send system log messages.
+@@ -545,6 +602,44 @@ interface(`logging_send_syslog_msg',`
########################################
## <summary>
@@ -62715,7 +62946,7 @@ index 831b909..57064ad 100644
## Read the auditd configuration files.
## </summary>
## <param name="domain">
-@@ -734,7 +772,25 @@ interface(`logging_append_all_logs',`
+@@ -734,7 +829,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -62742,7 +62973,7 @@ index 831b909..57064ad 100644
')
########################################
-@@ -817,7 +873,7 @@ interface(`logging_manage_all_logs',`
+@@ -817,7 +930,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -62751,7 +62982,7 @@ index 831b909..57064ad 100644
')
########################################
-@@ -843,6 +899,44 @@ interface(`logging_read_generic_logs',`
+@@ -843,6 +956,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -62796,7 +63027,7 @@ index 831b909..57064ad 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -990,6 +1084,7 @@ interface(`logging_admin_syslog',`
+@@ -990,6 +1141,7 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -62804,7 +63035,7 @@ index 831b909..57064ad 100644
allow $1 syslogd_t:process { ptrace signal_perms };
allow $1 klogd_t:process { ptrace signal_perms };
ps_process_pattern($1, syslogd_t)
-@@ -1015,6 +1110,8 @@ interface(`logging_admin_syslog',`
+@@ -1015,6 +1167,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -63474,7 +63705,7 @@ index 9c0faab..dd6530e 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..223af54 100644
+index a0eef20..8b724a5 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,11 +18,12 @@ type insmod_t;
@@ -63584,7 +63815,7 @@ index a0eef20..223af54 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -161,11 +175,17 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +175,18 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -63599,10 +63830,11 @@ index a0eef20..223af54 100644
init_use_script_ptys(insmod_t)
+init_spec_domtrans_script(insmod_t)
+init_rw_script_tmp_files(insmod_t)
++init_dontaudit_getattr_stream_socket(insmod_t)
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t)
+@@ -174,8 +195,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -63612,25 +63844,26 @@ index a0eef20..223af54 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -187,28 +206,23 @@ optional_policy(`
+@@ -187,28 +207,27 @@ optional_policy(`
')
optional_policy(`
- firstboot_dontaudit_rw_pipes(insmod_t)
- firstboot_dontaudit_rw_stream_sockets(insmod_t)
-+ firstboot_dontaudit_leaks(insmod_t)
++ devicekit_use_fds_disk(insmod_t)
')
optional_policy(`
- hal_write_log(insmod_t)
-+ firewallgui_dontaudit_rw_pipes(insmod_t)
++ firstboot_dontaudit_leaks(insmod_t)
')
optional_policy(`
- hotplug_search_config(insmod_t)
--')
--
--optional_policy(`
++ firewallgui_dontaudit_rw_pipes(insmod_t)
+ ')
+
+ optional_policy(`
- mount_domtrans(insmod_t)
+ hal_write_log(insmod_t)
')
@@ -63646,7 +63879,7 @@ index a0eef20..223af54 100644
')
optional_policy(`
-@@ -231,11 +245,15 @@ optional_policy(`
+@@ -231,11 +250,15 @@ optional_policy(`
')
optional_policy(`
@@ -63663,7 +63896,7 @@ index a0eef20..223af54 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +314,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -65727,7 +65960,7 @@ index ff80d0a..752e031 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..7564ed4 100644
+index 34d0ec5..ac52258 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -65878,7 +66111,7 @@ index 34d0ec5..7564ed4 100644
+optional_policy(`
+ nis_initrc_domtrans_ypbind(dhcpc_t)
nis_read_ypbind_pid(dhcpc_t)
-+ nis_sysctl_ypbind(dhcpc_t)
++ nis_systemctl_ypbind(dhcpc_t)
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4ea9766..cca2336 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Aug 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-21
+- Allow insmod_t to use fds leaked from devicekit
+- dontaudit getattr between insmod_t and init_t unix_stream_sockets
+- Change sysctl unit file interfaces to use systemctl
+- Add support for chronyd unit file
+- Allow mozilla_plugin to read gnome_usr_config
+- Add policy for new gpsd
+- Allow cups to create kerberos rhost cache files
+- Add authlogin_filetrans_named_content, to unconfined_t to make sure shadow and other log files get labeled correctly
+
* Tue Aug 23 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-20
- Make users_extra and seusers.final into config(noreplace) so semanage users and login does not get overwritten
More information about the scm-commits
mailing list